1/14/2010 @ 6:50PM

Google China Hackers' Unexpected Backdoor

When
Google
recently disclosed an attack originating from China targeting more than 20 U.S. technology companies, the company revealed only that the attack was “highly sophisticated and highly targeted.” On Thursday
McAfee
announced that it found at least one of the technological footholds for the attack: a previously unknown vulnerability in
Microsoft’s
Internet Explorer browser.

Targeted attacks using unpublished vulnerabilities in browsers are nothing new, especially for companies like Google with valuable intellectual property to protect. In fact, what may be most striking about the so-called “Aurora” exploit is just how old the attackers’ target was.

As hundreds of browser bugs have been exposed and patched over the last decade, browser attacks like the one Aurora used are considered by some cybersecurity researchers to be on the wane compared with trendier targets like PDF readers, browser plug-ins and other complex applications, says Ed Skoudis, a cybersecurity researcher with IntelGuardians. That’s because programs like Internet Explorer have been probed for vulnerabilities for years and patched repeatedly, while programs like
Adobe
Readers are just starting to be targeted by hackers.

Cybersecurity researchers publicized 30 new bugs in Internet Explorer last year, compared with 49 in 2007 and 90 in 2006, according to iDefense, the security division of Verisign. That compares with 45 bugs in Adobe Acrobat last year, up from a mere four in 2006. Those kinds of statistics appeared to show that Internet Explorer was being hardened over time as various bugs were exposed and patched, Skoudis says.

“Everyone thought this had already been raked over,” says Skoudis. “But this shows that we’re still going to find vulnerabilities in less fertile hunting grounds.” In other words, says Skoudis, the Chinese hackers who found a new, unpublicized and powerful vulnerability in Internet Explorer were either “very clever, or extremely lucky.”

Dmitri Alperovitch, who oversees threat research at McAfee and helped identify the vulnerability, votes for “clever.” “To identify and use a vulnerability in IE is quite difficult and requires a great deal of sophistication,” he says.

Alperovitch says the code planted by the attackers was also extremely sophisticated, using encryption and covert channels to hide itself, and was written from scratch, rather than cookie-cutter code pulled from other exploits.

Like others who have analyzed the attack, including Google, McAfee couldn’t trace it to the Chinese government. The command and control servers that McAfee found were located in the U.S. and Taiwan, not in mainland China. But Alperovitch says the complexity of the code and the fact that the hackers were able to find such a powerful vulnerability in common software points to government connections.

“This was an attention to detail and a sophistication that we rarely see outside of the defense industrial complex,” he says.

Microsoft acknowledged the bug on its security advisory site Thursday and is expected to issue an emergency patch.

One lesson of the Aurora hack, says Alan Paller, director of the computer security-focused SANS Institute, is that it’s not enough to merely seek out bugs and periodically patch systems. Internet Explorer, after all, has been patched again and again in response to new bugs. Instead software developers need to focus on coding securely in the first place.

“Patching is reactive. You need to get ahead of the problem,” he says. “You need people to write code without errors.”

One step Paller has long recommended is tougher procurement standards for government software, a security move he believes would trickle out to business and consumer software as well. So far, that’s been an uphill battle, he says. Though New York state and some agencies have adopted stricter rules, there’s still no government-wide standard. “We may only win this fight after something terrible happens,” he says.